Mobile Virtualization: Security Panacea?

— May 25, 2011

Ubiquitous smartphones, tablets, and other wireless devices increasingly enable mobile workers to access company assets from outside HQ—on the road, at home, anywhere there is connectivity. Accommodating this consumerization of enterprise IT—letting workers acquire and use their own devices—presents formidable challenges to the security of enterprise infrastructure and to business-critical data and applications that use it.

Mobile virtualization can ease the burden of enterprise mobility, simplifying life for IT staff while giving road warriors and telecommuters a safe and secure platform for running enterprise apps and working with company data. At the same time these mobile workers can continue enjoying the features and fun capabilities of their smartphones free from the boss’ scrutiny.

The Situation – Mobility with a Chance of Productivity

Since the 1980s, companies have supplied employees with personal technology—first desktop PCs, then mobile phones and notebooks, and most recently, smartphones and tablets. The motive for these capital equipment investments was to make employees more accessible and organizations more productive, extending contact by voice and e-mail, enabling access to enterprise information systems, and giving workers the tools to be as productive on the road as they are in the office.

Results of these programs have been mixed. Challenges to mobility ROI have included:

The remaining puncture in the tires of enterprise mobility is security.

The IT Challenge – Mission Impossible?

Corporate management has handed IT staff a mandate to support consumerized enterprise mobility: roving employees must be able to log onto corporate networks, access company databases and e-mail servers, and run business-critical applications. Not just from desktop PCs and notebooks, not from IT-vetted hardware, but from employees’ own Android-based smartphones and other wireless devices.

The mission—make end users productive (and happy) without compromising hard-won company security and make them mobile without exposing corporate secrets and customer information to the prying eyes of hackers, identity thieves, and other black hats.

Before tidying up their resumes and heading for the door, IT staffers will likely consider a series of unappealing responses:

Lock down mobile applications and blacklist all Web sites that are not work-related

Wipe employee phones and install clean and secure company golden masters (if even possible)Support only 1-2 handset and tablet models qualified for end users to buy and use

For technical and practical reasons, none of the options are really viable. So what’s a company to do?

The End-User Conundrum

This past year, after the winter holidays, workers in sales, support, marketing, engineering, accounting, facilities, and other departments returned to work with shiny new smartphones and tablets they received as gifts (or bought for themselves). These devices are not just for communication—they are lifestyle enhancers providing applications to manage diet and exercise, participate in social networks, coordinate schedules and track family members, educate, and entertain. And they also support Web browsing, e-mail, note taking, report writing, financial modeling—many or all productivity-enhancing activities previously hosted on PCs and notebooks—but in a friendly touch-driven form factor.

Around the proverbial water cooler, workers eager to leverage newfound mobility in (and out of) the workplace swap stories of their enterprise mobility experiences:

Joe from accounting let IT have his smartphone and now he can’t play the market on his own time (or play games or watch videos)

Wendy in sales had the support desk install company CRM and inventory management tools on her Web pad and now she can’t surf competitor Web sites and read popular blogs for industry

Developer Chad and even IT staffer Michelle had to remove network monitoring and console tools from their wireless devices to comply with mobile security policy

Fiona at the front desk could no longer display her favorite screen saver or use Facebook during coffee breaks

Each also realized that employer-installed software could probably also track online browsing and download habits. Via GPS-enabled phones and tablets, they could now add their physical locale to the list of privacy concerns.

Everyone lost something: familiarity, personalization, utility, privacy, and ultimately, productivity and freedom—freedom to use their own devices as they like.

The result? Potentially productive mobile employees either walked away from their company’s enterprise mobility rollout or ended up carrying (at least) two devices: one to meet company requirements and an additional personal smartphone or tablet of their own.

Enterprise Mobility Approaches

A set of technologies and solutions has emerged to meet the “dual persona” challenge of personal and professional mobility:

Cloud-Based Portals – Cloud computing has impacted the entire enterprise IT landscape, including mobility. Web apps and cloud-based (virtual) servers have moved enterprise assets and applications out of headquarters data centers and onto the World Wide Web.

Cloud-based mobility most commonly supports e-mail (Webmail), help desks, and database-driven applications (CRM, etc.) but can also support *aaS (“anything as a Service”) paradigms. On the down side, *aaS greatly alters user experience, especially for legacy mobile and PC-native apps.

Encryption – Not an enterprise mobility solution per se but a means to protect on-device content and data in transit. Other solutions can leverage platform-native encryption (when present) or carry their own encryption engines.

System-Level Solutions – Using mobile virtualization (Type I hypervisors) to isolate business-critical enterprise software and data from open end-user environments by hosting each in secure virtual machines.

Three Pillars of Enterprise Mobility

The success of enterprise mobility rests upon three pillars: security, privacy and freedom. Security for corporate communications and assets and privacy and freedom for the actual device users.

In the following table, let’s examine how some leading technical approaches enhance enterprise mobility and can impact security, privacy, and freedom. Note that these approaches are not mutually exclusive and in many cases complement one another.

SECURITY

PRIVACY

FREEDOM

Cloud-Based

Portals

+

Authenticated access

Accessible on-the-go

Flexible, Web-based

-

Open to social engineering, key logging, Web-based cracking

Data in cloud open to employer scrutiny

May require specific browsers; not application-based (Web)

Application-Level Containers

+

Easy deployment (application)

Preserves outward look & feel

-

Non-standard APIs, closed environment, open to DoS attacks

User content visible to employer

Forces user/IT into proprietary environment, applications

Encryption

+

Secures all technologies.
Protects data locally, in transit.

Enhance user privacy (especially Public Key Encryption)

Secure communication with employer, family, friends

-

Platform-based encryption subject to root-level exploits.

Employers may retain passwords, keys, and backdoors

Adds complexity to user experience (not always transparent)

Mobile Device
and Software Management

(MDM/MSM)

+

Can combine multiple security measures for apps and data

-

Focus on provisioning, wiping and tracking, not protection

Monitors / tracks users virtually and physically (LBS)

Changes device personality.
Blacklists apps and sites

System-Level
Solutions (with
Virtualization)

+

Fully isolates user and enterprise personas — maximum assurance

Gives users 100% private partition for data and applications

User persona preserves original device capabilities

-

User can still trash own partition!

Mobile Virtualization

Virtualization provides a secure, isolated, and robust run-time environment for programs (including Android and other OSes) that is indistinguishable from actual “bare” hardware. This virtual machine (VM) environment mimics actual computer hardware and isolates guest software stacks from one another. Providing the virtual machine environment and managing VM resources is a software layer called a hypervisor.

Mobile virtualization, like its data center cousin, runs underneath OSes and other software visible to applications and end users. It builds on Type I “bare metal” virtualization, as distinct from Type II hypervisors, which themselves run as applications over an OS (Type II virtualization is common on desktop systems (e.g., VMware Workstation/Fusion and Parallels).

Not only does mobile virtualization provide an ideal foundation for enterprise mobility, it is also deployed in mobile devices for other purposes—to host/partition legacy baseband radio software, to support cost reduction through chipset consolidation, and to implement military-grade security for ultra-secure and certified “superphones.”

Conclusion

Of the various options for implementing enterprise mobility securely while preserving end-user privacy and freedom, only mobile virtualization consistently balances all three pillars. Other solutions attempt to implement the form of dual persona functionality, but miss the substance of underlying security of preserving privacy and freedom.

Built on widely deployed, hardware-based hypervisor technology, mobile virtualization isolates personal and corporate environments architecturally, from the hardware upward through the software stack. When security is not an afterthought, it can be tailored also to accommodate and enhance user privacy and preserve the end-user experience.

topics

Must See

FEATURED REPORT

BYOD is nearly a standard—with 90% of organizations predicted to support some aspect of BYO by 2017, but have most organizations really taken all the steps needed to protect and manage the environment?